Security by numbers?

A recent Aberdeen Group Inc. report claims that open source is less secure than Windows.

And how did they come to this profound conclusion? Apparently, they counted the number of CERT advisories in the past couple of years and found more associated with open-source software than with Windows.

Unfortunately, that's like comparing the number of humans to ants and concluding that ants must be the dominant species due to their larger numbers. Simple numbers can yield incorrect conclusions when taken out of context.

So how can one do an intelligent comparison of security incidents?

Don't count duplicates. One security flaw in a utility can yield a separate report for each distribution that uses that utility. If five Linux distributions each have the utility, you have one real problem, not five.

Identify problems in distributions. Most companies run on code included in specific Linux or BSD distributions. Many security flaws found briefly on code from a developer's Web site are fixed before they make their way onto a distribution. So if your business is using Red Hat, count the bugs that actually appear in your version of Red Hat. Including bugs that appear in other distributions doesn't really tell you how exposed you are.

With most open-source operating systems, much of the software is not installed by default. For example, a flaw in Sendmail might be serious, but only if you have Sendmail installed. Many distributions use Postfix or Qmail to handle mail by default, so a Sendmail bug might mean nothing to you.

You cannot simply compare exploits in open source to Windows. Open source covers multiple operating systems, distributions, and programs. Even comparing a single distribution to Windows is flawed because a single distribution is likely to contain multiple office suites, database systems, and countless utilities that must be purchased separately in the Windows world. Instead, compare the total software on your typical Linux or BSD box to that of your typical Windows PC.

It isn't enough to consider the number of security holes. You need to know how quickly the patches occur. A hole that stays open for weeks can be far more dangerous than a few holes that can be closed in hours.

Don't assume that open-source software is inherently insecure because crackers can see the source code. History shows that crackers don't need source code to find exploits, but motivated technical people need source code to close holes. Open source restores the balance of power by allowing holes to be closed faster than software organization could manage.

Accurately evaluating security flaws might finally get statistics that mean something.

Join the newsletter!

Error: Please check your email address.

More about Aberdeen GroupCERT AustraliaRed HatSendMail

Show Comments

Market Place